You may have heard about the GDPR and started receiving emails online retailers and other applications about them updating their privacy conditions. The General Data Protection Regulation (GDPR) was passed by the European Union in April 2016 and will be fully enforced in just over two weeks on the 25th of May 2018. Organisations have had just over 2 years to get ‘compliant’ but many are now scrambling.
What is the GDPR exactly? Essentially, these are new Guidelines that are being rolled out in the EU which stipulates how their customers (and prospective customers) data and information and be stored and used. Furthermore, the GDPR proceeds to protect individuals’ online data in the European Economic Area (EEA) and how this data is used by businesses in advertising campaigns. Given the flack that Facebook has copped recently about data leaks, this probably couldn’t come at a better time for consumers.
It’s thought that these new rules will effect the vast majority of businesses in Europe, including England regardless of Brexit.
What does it effect specifically?
The 3 main aspects of the new Guidelines are around consent, usage and storage (or ‘data processing’) of ‘personal data’.
Consent – Users must consent to their data being stored. You may have noticed more pop-ups on websites recently asking you to agree to their cookies policy, and emails from large online retails asking you to confirm that they can continue to send you email marketing materials. See an example from online giant ASOS below. Parental consent will be required for users under the age of 16.
Usage – It needs to be clear to the user what their data is going to be used for and if it’s going to be passed on to third parties (and consented to). There are also Guidelines around data being stored that is only specific to the purpose.
Storage – There are Guidelines for how long a users data can be stored for, and the user must be made aware of this also. The data also needs to be secure.
The last major thing to be across is that users have the right to a) ask what information is being stored on them and b) for it to be removed in a certain amount of time.
What is counted as ‘personal data’ and ‘data processing’?
All of this relates to ‘personal data’ of a user – but what counts as personal data? The GDPR counts any unique identifier. This includes things like a name, IP address, physical address, email address, social security numbers etc. ‘Data processing’ is anything from recording, obtaining, storing or holding the personal data and carrying our any related actions with it.
How can this be binding?
The internet is un-Governed right? How can someone or something make a legally binding set or rules, laws or guidelines like this? Surely we can just ignore it? Unfortunately not.
According to Wikipedia citing Info Law Group, Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
What are the penalties for non-compliance?
Organisations can be fined up to 4% of their revenue to the sum of up to $20 million Euros. Woah!
Regardless if your business is in New Zealand, the GDPR regulations will apply to you if you currently offer services, goods and products to citizens of the EU. Next week we will be posting another blog on why it’s important to become compliant and after that some tips to help you on your way. In the meantime if you have any questions please give us a call on 0800 878 833.